Published on: Not Yet Published
Last Modified on: 11/09/2022 10:03:00 PM UTC
OpenFGA is a high-performance authorization/permission engine inspired by Google Zanzibar. Versions prior to 0.2.5 are vulnerable to authorization bypass under certain conditions. You are affected by this vulnerability if you added a tuple with a wildcard (*) assigned to a tupleset relation (the right hand side of a ‘from’ statement). This issue has been patched in version v0.2.5. This update is not backward compatible with any authorization model that uses wildcard on a tupleset relation.
- CVE-2022-39352 has been assigned by [email protected] to track the vulnerability - currently rated as CRITICAL severity.
- Affected Vendor/Software: openfga - openfga version < 0.2.5
CVSS3 Score: 9.8 - CRITICAL
|OpenFGA Authorization Bypass · Advisory · openfga/openfga · GitHub|| github.com |
Known Affected Configurations (CPE V2.3)